diff --git a/manage.py b/manage.py
index 2322f91..66d1259 100755
--- a/manage.py
+++ b/manage.py
@@ -124,7 +124,10 @@ def pullProj(project):
     pulledImages = []
     for image in images:
         currentId = getImageId(image)
-        runPodman("pull", image)
+        if re.search('^localhost/', image):
+            runPodman("compose", ["-f", f"projects/{project}/compose.yaml.rendered", "build", "--pull"])
+        else:
+            runPodman("pull", image)
         pulledId = getImageId(image)
         if currentId != pulledId:
             pulledImages += image
diff --git a/projects/keycloak/.env.mako b/projects/keycloak/.env.mako
new file mode 100644
index 0000000..54d5465
--- /dev/null
+++ b/projects/keycloak/.env.mako
@@ -0,0 +1,12 @@
+QUARKUS_TRANSACTION_MANAGER_ENABLE_RECOVERY=true
+
+#KEYCLOAK_ADMIN=
+#KEYCLOAK_ADMIN_PASSWORD=
+
+KC_DB_URL_HOST=postgres.${env['domain']}
+KC_DB_URL_DATABASE=keycloak
+KC_DB_USERNAME=${secrets['postgres']['keycloak']['user']}
+KC_DB_PASSWORD='${secrets["postgres"]["keycloak"]["pass"]}'
+
+KC_PROXY_HEADERS=xforwarded
+KC_HOSTNAME=https://kc.${env['domain']}
diff --git a/projects/keycloak/Dockerfile b/projects/keycloak/Dockerfile
new file mode 100644
index 0000000..a0f415d
--- /dev/null
+++ b/projects/keycloak/Dockerfile
@@ -0,0 +1,15 @@
+FROM quay.io/keycloak/keycloak:25.0 as builder
+
+ENV KC_DB=postgres
+
+WORKDIR /opt/keycloak
+
+RUN keytool -genkeypair -storepass password -storetype PKCS12 -keyalg RSA -keysize 2048 -dname "CN=server" -alias server -ext "SAN:c=IP:127.0.0.1" -keystore conf/server.keystore
+RUN /opt/keycloak/bin/kc.sh build
+
+
+FROM quay.io/keycloak/keycloak:25.0
+COPY --from=builder /opt/keycloak/ /opt/keycloak/
+
+ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]
+CMD ["start", "--optimized"]
diff --git a/projects/keycloak/compose.yaml.mako b/projects/keycloak/compose.yaml.mako
new file mode 100644
index 0000000..ac9d38a
--- /dev/null
+++ b/projects/keycloak/compose.yaml.mako
@@ -0,0 +1,11 @@
+services:
+  keycloak:
+    container_name: keycloak
+    build: .
+    image: localhost/keycloak:latest
+    network_mode: pasta:-a,${env['pasta']['keycloak']['ipv4']},-a,${env['pasta']['keycloak']['ipv6']}
+    restart: always
+    user: ${env['users']['keycloak']}:${env['users']['keycloak']}
+    env_file: .env.rendered
+    ports:
+      - 127.0.0.1:${env['ports']['keycloak']}:8443
diff --git a/pyenv.yml b/pyenv.yml
index 2cc2d54..0a57be9 100644
--- a/pyenv.yml
+++ b/pyenv.yml
@@ -64,6 +64,9 @@ pasta:
   hedgedoc:
     ipv4: 10.86.8.1
     ipv6: fc86::8
+  keycloak:
+    ipv4: 10.86.11.1
+    ipv6: fc86::11
   mailserver:
     ipv4: 10.86.13.1
     ipv6: fc86::13